[j-nsp] SNMP on logical-system fxp0

Alex Arseniev alex.arseniev at gmail.com
Thu Apr 25 13:46:02 EDT 2013


----- Original Message ----- 
From: "Pavel Lunin" <plunin at senetsy.ru>
To: <juniper-nsp at puck.nether.net>
Sent: Thursday, April 25, 2013 5:48 PM
Subject: Re: [j-nsp] SNMP on logical-system fxp0


>
> 25.04.2013 19:04, Alex Arseniev wrote:
>> Netflow does NOT require encryption as standard (SNMPv3 does).
> Netflow or stateful log export is very often not supported on fxp0 and
> analogues. Even if it is, high rate of those logs can easily overwhelm
> RE or the link between RE and data plane.
>> (a) lo0.0 filter copy is applied to fxp0 as well
> It's not in hardware.

Correct. Do you expect someone to attack fxp0 from within Your OOB network?
Rogue NMS server perhaps?
In that case You have OOB network design problems, see my point below wrt 
OOB design principles.

>> The providers I worked with build their OOB networks using same design
>> principles as their production networks - never flat L2, routed hops,
>> every site has at least 1 (often 2 or multi-staged) firewall(s)
>> protecting the rest of the OOB domain from "rogue elements".
> Even so. Why fxp0? Why not normal interface (given you have it)?

Because fxp0 is "free" in a sense that it is included in RE price?


> Well, at the end it's not that important (though evident) why OOB mgt
> interfaces have their limitations, they just do.

It is clearly evident that for every vendor product which has "management" 
built-in interfaces on control modules, these built-in interfaces on control 
modules cannot deliver same features & perf as revenue interfaces.
Do You have expectations and/or experience/examples to the contrary?

Thanks
Alex



More information about the juniper-nsp mailing list